Bug 1650578
| Summary: | Firefox and Chrome experience PIV popups when accessing a Satellite or IDM webUI | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Amy Farley <afarley> | ||||
| Component: | firefox | Assignee: | Daiki Ueno <dueno> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 29 | CC: | 0xalen+redhat, afarley, anto.trande, dueno, elio.maldonado.batiz, gecko-bugs-nobody, jhorak, john.j5live, kdudka, kengert, klember, mpreisle, nmavrogi, pjasicek, rhughes, rrelyea, rstrode, sandmann, stefw, stransky, tmraz | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-09-19 12:38:45 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Would you be able to collect backtrace from the point the dialog actually appears? I think that should be possible with: 1. dnf debuginfo-install firefox nss 2. gdb /usr/lib64/firefox/firefox-bin (gdb) b PK11PasswordPrompt (gdb) r ... (gdb) bt On F29, I can only reproduce it under the following condition: - softhsm package is installed, and a token is created - _no_ physical smartcard/hardware token is attached This is a bit different from the original description, and I am not really sure we are seeing the same issue. So I would like to clarify the following: - which PKCS#11 driver is in use (and yubikey version) - the call trace I asked in comment 1 FWIW, in my test, the call trace until PK11PasswordPrompt is: mozilla::net::CanEnableSpeculativeConnect -> nsNSSComponent::HasUserCertsInstalled -> CERT_FindUserCertsByUsage -> CERT_GetCertNicknames -> pk11_TraverseAllSlots -> PK11PasswordPrompt In CanEnableSpeculativeConnect, there are 2 checks on tokens attached to the system: 1. whether there is any removable slot: if there is any, it gives up 2. whether there is any user certificate (i.e. a certificate with a private key) in any token: if there is any, it gives up https://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpHandler.cpp#2475 The problem is in (2), which results in authenticating all tokens. I do not currently have a smart card setup, but when I do it is USB to PIV card reader. The Yubikey is a nano, configured only for 2fa token generation Here is the lsusb output Bus 001 Device 002: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID I believe the patch in the linked upstream bug (against firefox) should fix the issue. Moving to firefox. I'll look at it, Thanks. It's already included in firefox-69.0 package, closing. |
Created attachment 1506438 [details] screenshot Description of problem: When accessing a webUI using firefox or chrome, the crypto policy requires PIV auth and creates a popup. In cases where it is accessing data (like doing a Red Hat Repository page build in Satellite), this pop-up occurs 10 times during load. In order to work around the issue, the file: # rm /etc/crypto-policies/local.d/nss-p11-kit.config # update-crypto-policies However, if this were a truly smart-card required environment, this would not be an acceptable fix. Version-Release number of selected component (if applicable): p11-kit-server-0.23.14-1.fc29.x86_64 p11-kit-trust-0.23.14-1.fc29.x86_64 p11-kit-0.23.14-1.fc29.x86_64 How reproducible: Steps to Reproduce: 1. Take smart card enabled system and log into Satellite webUI 2. Click on Content -> Red Hat Repositories This particular page in Satellite, brings up the popup at least 10 times. Actual results: PIV popup during load Expected results: either 1 auth attempt or no popup at all Additional info: THere should be a way to specify or disable the auth for a particular case or service.